0% found this document useful (0 votes)

109 views23 pages

Network-Centric Migration To Cisco ACI

The document provides a comprehensive guide for migrating existing brownfield networks to Cisco ACI, detailing the necessary steps and considerations for successful integration. It discusses the evolution of operations, policies, and components in data centers, emphasizing the mapping of traditional networking concepts to Cisco ACI constructs. Key topics include Layer 2 connectivity, virtual workload migration, and default gateway migration, with specific scenarios and methodologies outlined for effective transition.

Uploaded by

generalcc7

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

109 views23 pages

Network-Centric Migration To Cisco ACI

Uploaded by

generalcc7

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 23

Migrating Existing Networks to

Cisco ACI
Contents
Contents ............................................................................................................................................................................. 1
Introduction ....................................................................................................................................................................... 1
Migrating a Brownfield Network to Cisco ACI ................................................................................................................... 2
Layer 2 Connectivity with VLAN to EPG Static Mapping ................................................................................................ 3
Virtual Workloads Migration Considerations ................................................................................................................ 8
Default Gateway Migration Considerations ................................................................................................................ 12
Layer 3 Routing Between Brownfield and Greenfield Networks ................................................................................. 18
Migration of Layer 4 to Layer 7 Network Services ....................................................................................................... 19

Introduction
There are several current and future trends happening concurrently in the data center space, described as follows:

■ Operations evolution: Moving from the use of the CLI to orchestration tools to manage and operate the data center
network.

■ Policy evolution: Evolving from standard IP subnet firewall-based access control to advanced, policy-based access
control, which allows deploying new applications into a Cisco ACI g -

■ Component evolution: Interconnecting existing data center network infrastructure to newly deployed Cisco ACI
fabrics to allow applications to be gradually migrated from one infrastructure to another, ideally in a non-disruptive
manner.

These three evolution paths (shown as follows) may occur in parallel or in an independent and sequential way. The
main purpose of this guide is the migration of the underlying infrastructure.

Cisco Systems, Inc. www.cisco.com

1
Migrating a Brownfield Network to Cisco ACI

Note: A solid understanding of Cisco ACI and its functionalities is required to leverage the information contained in this
guide. For more background information on Cisco ACI, refer to the following link: http://www.cisco.com/go/aci.

Migrating a Brownfield Network to Cisco ACI

in interconnecting the existing brownfield network (built based on STP, vPC, or FabricPath technologies) to a newly
developed Cisco ACI POD with the end goal of migrating applications or workloads between those environments.

In order to accomplish this application migration task, it is required to map traditional networking concepts (VLANs, IP
subnets, VRFs, etc.) to new Cisco ACI constructs, like endpoint groups (EPGs), bridge domains, and Private Networks.
The Cisco ACI constructs previously mentioned is explained in more detail throughout this guide.

The following diagram shows the Cisco ACI network-centric migration methodology, which highlights the major steps
required for performing the migration of applications from a brownfield network to a Cisco ACI fabric.

The steps of the Cisco ACI network-centric migration methodology are described as follows:

2
1. The first step is the design and deployment of the new Cisco ACI POD (greenfield POD); it is likely that the size of
such a deployment is initially small with plans to grown in time with the number of applications that are migrated. A
typical Cisco ACI POD consists of at least two spine nodes and two leaf nodes, managed by a cluster of Cisco
APICs.

2. The second step is the integration between the existing data center network infrastructure (usually called the
brownfield Cisco ACI POD. Layer 2 and Layer 3 connectivity between the two networks is
required to allow successful applications and workload migration across the two network infrastructures.

3. The final step consists of migrating workloads between the brownfield and the greenfield network. This application
migration process may take several months to complete (depending also on the number and complexity of the
applications being migrated), so communication between greenfield and brownfield networks through the Layer 2
and Layer 3 connections previously mentioned is utilized during this phase.

Layer 2 Connectivity with VLAN to EPG Static Mapping

In Cisco ACI, VLANs do not exist inside the fabric; they are only defined on the edge ports connecting virtual or physical
endpoints. Hence, the meaning of the VLAN tags is localized on a per interface level. This method allows the possibility
to establish intra-IP subnet communication between devices that are part of Layer 2 segments identified by different
VLAN ID tags (VLAN cross-connect) or even other type of tags (VXLAN and NVGRE, for example).

The following diagram shows the Cisco ACI normalization of ingress encapsulation, which demonstrates the fabric
normalization of port encapsulations.

The traditional concept of VLAN as Layer 2 broadcast domain is replaced in the Cisco ACI fabric with a bridge domain,
representing the Layer 2 broadcast domain where endpoints (physical or virtual) connect.

As shown in the following diagram, on the Cisco ACI fabric it is possible to associate different VLAN tags (VLAN 20 and
30 in this example) defined on different edge ports to the same broadcast domain. The result is that endpoint
10.10.10.10 can still communicate with endpoint 10.10.10.11 even though they are attached to different VLANs.

3
Migrating a Brownfield Network to Cisco ACI

It is then possible to deploy endpoints as part of a specific security group, called an endpoint group (EPG) that is
associated with the bridge domain. In traditional networking, different security groups are usually associated to separate
VLANs (Layer 2 broadcast domains) and security policies get applied by leveraging Layer 3 ACLs defined on the routing
devices interconnecting them.

The recommended approach for a network centric migration consists of associating each VLAN originally defined in the
brownfield infrastructure to a corresponding EPG and bridge domain pair in the Cisco ACI fabric (VLAN = EPG = BD). It
should be noted that while the above is our recommended approach, Cisco ACI does give you the ability to associate
more than one endpoint group to the same Layer 2 broadcast domain, while maintaining logical isolation between
endpoints in the respective EPGs.

The following diagram shows the mapping of each migrated application to a separate EPG/bridge domain. Endpoints
10.10.10.10 and 10.10.10.11 cannot communicate to endpoints 10.20.20.10 or 10.20.20.11 unless explicitly configured.
This holds true even if all the hosts were on the same Layer 2 domain or IP subnet.

4
To connect the brownfield network and the Cisco ACI fabric using Layer 2 and perform the workload migration:

1. Establish a double-sided vPC connection between a pair of Cisco ACI border leaf nodes and the two devices
representing the boundary between Layer 2 and Layer 3 in the brownfield infrastructure. Depending on the
technology used in the legacy network (STP, vPC, or FabricPath), this Layer 2/Layer 3 boundary may be found at the
aggregation layer or on a dedicated pair of devices normally named border leaf nodes. The following diagram shows
brownfield VLANs connected to the Cisco ACI fabric.

Note: The use of a dedicated border leaf node pair is recommended but not required.

In the previous example, the brownfield network is represented by a FabricPath implementation leveraging a default
gateway deployment at the spine layer (that is, the spines also perform the duty of border leaf nodes). A double-
sided vPC+ connection to a pair of Cisco ACI leaf nodes allows extending Layer 2 connectivity between the two
network infrastructures without creating any Layer 2 loop, hence maintaining all the vPC links actively forwarding
traffic.

Note: This design would look identical if the brownfield network was built with STP or vPC technologies as opposed
to FabricPath.

5
Migrating a Brownfield Network to Cisco ACI

2. Associate endpoints connected to VLANs in the brownfield network to security groups defined in the Cisco ACI fab-
ric and named endpoint groups (EPGs). The recommended approach discussed in this paper consists in statically
mapping VLAN tags to EPGs on the Cisco ACI leaf nodes connecting to the brownfield network. When doing so,
there are a couple of specific use cases worth considering.

Scenario 1: 1:1 Mapping between Brownfield VLANs and EPGs

The first case involves an application that is being migrated from a classical multi-tier architecture, where each tier is
associated to a separate VLAN segment. Each VLAN segment, in this case, is dedicated to a given application tier, and a
different application would use a different VLAN for the same tier (that is, workloads for the Web Tier of App1 are deployed
on VLAN 10, and workloads for the Web Tier of App2 on VLAN 20, as shown in the following diagram:

In this scenario, which is shown in the following diagram, performing VLAN10/EPG1 and VLAN20/EPG2 static mappings
ensures that the workloads connected to the brownfield network remain part of the same Layer 2 broadcast domain with
the workloads that are migrated to the Cisco ACI fabric.

6
Also, as previously explained, different VLAN tags can be used for the workloads migrated to the Cisco ACI fabric, as
long as they are also mapped to the proper EPG1 or EPG2 group, as shown above.

The examples shown in the previous diagrams follow the recommended approach of assigning a dedicated bridge
domain and EPG for each brownfield VLAN (brownfield VLAN = EPG = BD). Once the static mapping is performed, Layer
2 (intra-IP subnet) communication can be successfully established between workloads connected to the brownfield
FabricPath and the greenfield (Cisco ACI fabric) networks.

Using the VLAN to EPG static binding method allows you to migrate workloads to the Cisco ACI fabric in the least
disruptive way. If the workloads are virtualized, it is possible to perform VM live migration (more considerations about
-metal servers, it
is possible to physically move it between networks without having to perform any IP re-addressing.

Scenario 2: Mapping a Brownfield VLAN to Different EPGs

The second scenario is where the applications in the brownfield network are still deployed with multiple tiers, but the
same VLAN segment is utilized by workloads belonging to the same tier of different applications (that is, workloads for
the Web Tier of App1 and App2 are all connected to the same VLAN 10, as depicted in the following diagram).

The goal is to have workloads migrated to the Cisco ACI fabric and eventually assigned to separate EPGs, to take
advantage of the security functionalities offered by Cisco ACI to logically isolate groups of endpoints. The static
VLAN/EPG mapping performed on the Cisco ACI leaf nodes causes the assignment of the workloads part of VLAN 10 to
a common EPG, as shown in the following diagram:

7
Migrating a Brownfield Network to Cisco ACI

In this scenario, the workloads belonging to the Web tier of different applications are logically isolated between them as
soon as they are migrated to the Cisco ACI fabric. To allow communication to the workloads located in the brownfield
network, a contract is required between EPG_Outside and EPG1 and between EPG_Outside and EPG2. A contract is a
Cisco ACI construct that allows or denies communication between EPGs.

Virtual Workloads Migration Considerations

Specific considerations are required for the migration of virtual workloads between the brownfield network and the Cisco
ACI fabric. The focus of this guide is on vSphere deployments, as ESXi is likely the prevalent hypervisor utilized in
brownfield deployments. The main goal of the migration procedure is to ensure that virtual machines originally connected
to the brownfield network can be moved to ESXi resources in the newly deployed Cisco ACI fabric. Ideally the procedure
should be performed in a seamless manner (that is, live vMotion).

The following two scenarios are probably the most commonly encountered in a real life deployment:

1. Scenario 1: The same vCenter server deployed in the brownfield network to manage locally connected ESXi clusters
is also managing new ESXi clusters added to the Cisco ACI fabric.

2. Scenario 2: One (or more) vCenter servers are deployed in the Cisco ACI fabric to manage new ESXi clusters,
whereas a separate vCenter server remains connected to the brownfield network to manage locally connected ESXi
hosts.

The following two sections describe the migration steps required for these two scenarios.

Scenario 1: Single vCenter Server Managing ESXi Clusters in Brownfield and Greenfield

In this scenario, the virtual machines are initially connected to port-groups that have been manually created on the VMware
Distributed Virtual Switch (DVS) deployed across the ESXi clusters connected to the brownfield site, as shown in the
following diagram:

The following are the steps required to complete the migration procedure:

1. Connect the new ESXi hosts in the Cisco ACI fabric to the same DVS already used by the hosts on the brownfield
site. This ensures that the port-groups where the virtual machines are initially connected are made available also on

8
the ESXi hosts connected to the Cisco ACI fabric.

2. At this point, having connected the two networks using Layer 2 as discussed in the previous section, the virtual ma-
chines can be migrated in a live fashion (live vMotion) from the brownfield to the greenfield network. In the example
in the following diagram, the red VMs are moved to the ESXi hosts connected to the Cisco ACI fabric.

Note: This scenario does not involve VMM integration. You attach to the ESXi hosts and the brownfield envi-
ronment using a static binding under the EPG (just as you would with bare-metal hosts).

The following diagram shows a live migration of VMs to the Cisco ACI fabric.

The VMs moved to the new ESXi hosts are part of the same port-group used in the brownfield site. This implies that
the same VLAN tag is used at this point by the VMs to send traffic into the Cisco ACI fabric. A static mapping is
therefore required on the Cisco ACI leaf nodes connecting to the ESXi hosts, so that traffic originated from the mi-
grated VMs can be properly classified and associated to the EPG that this means
that the ESXi hosts are in this phase integrated into Cisco ACI as physical resources (that is, part of a physical do-
main). The default gateway of the newly migrated VMs remains on the brownfield side.

Note: The requirement for the new ESXi host is to be equipped with at least a pair of physical uplinks to be
able to be connected simultaneously to the two DVSs.

9
Migrating a Brownfield Network to Cisco ACI

As shown above, the red VMs at this point are still connected to the manually created static port-groups
associated to the old DVS, whereas the purple VMs for new applications directly deployed on the Cisco ACI
fabric can be connected to dynamically created port-groups associated to the new DVS.

As a last migration step, it is then possible to move the red VMs to the dynamically created port-group
associated to the EPG on the new DVS (shown as follows).

This is advantageous from an operational perspective, because it allows the removal of the old DVS from the
configuration at the end of the migration process for all the workloads, as seen in the following diagram. It
may also allow for a convenient rollback situation during the migration if any misconfiguration were
uncovered in any part of the infrastructure.

10
Scenario 2: Separate vCenter Servers for Brownfield and Greenfield
In the second scenario, a separate vCenter server is introduced to manage the new ESXi resources connected to the
Cisco ACI fabric, as shown in the following diagram.

The migration procedure in this case must be modified as follows:

1. Pair the new vCenter with the Cisco APIC cluster. This process creates a VMM domain and dynamically push-
es a new DVS to all the new ESXi hosts in the Cisco ACI fabric. The ESXi hosts can then be connected to this
newly created DVS.
2. The EPGs to be used for the migrated workloads are associated to the VMM domain, which implies corre-
sponding port-groups are also dynamically added to the DVS.

11
Migrating a Brownfield Network to Cisco ACI

3. Perform the live migration of workloads between ESXi clusters. The following diagram shows the inter-
vCenter live migration of VMs.

The capability of performing vMotion between ESXi hosts managed by separate vCenter servers has been introduced in
vSphere 6.0 software release. Support for integration between Cisco ACI and vSphere 6.0 is introduced in the Cisco ACI
1.1(2h) release.

Note: Support for vMotion between ESXi hosts managed by different vCenter servers is introduced from Cisco ACI
release 1.2.

Default Gateway Migration Considerations

The default gateway used by the workloads to establish communication outside their IP subnet is initially maintained in
the brownfield network; this implies that the Cisco ACI fabric initially provides only Layer 2 services for devices part of
EPG1, and the workloads already migrated to the Cisco ACI fabric send traffic to the brownfield network when they need
to communicate with devices external to their IP subnet (shown in the following diagram).

To enable this behavior, you must configure specific properties on the bridge domain defined in the Cisco ACI fabric and
associated to the legacy VLAN 10 (shown in the following diagram). The default settings for a bridge domain have ARP

12
Flooding disabled and Unicast Routing enabled. For Layer 2 communication to work, you must adjust these settings
from the defaults.

 Disable Unicast Routing: The Cisco ACI fabric must behave as a Layer 2 network in this initial migration phase,
therefore it is required to uncheck the flag to disable the Unicast Routing capabilities. As a consequence, the
Cisco ACI fabric will only forward traffic for endpoints part of this bridge domain by performing Layer 2 lookups
and only MAC address information would be stored in the Cisco ACI database for those workloads (that is, their
IP addresses will not be learned).

 Enable ARP flooding: ARP requests originated from devices connected to the Cisco ACI fabric should be able to
reach the default gateway or other endpoints part of the same IP subnet and still connected to the brownfield
network. Since those entities are unknown to the Cisco ACI fabric, it is required to flood ARP requests across
the Cisco ACI fabric and toward the brownfield network.

 Enable Unknown Unicast flooding: similar considerations valid for ARP traffic apply also to Layer 2 unknown
traffic (unicast and multicast), so it is required to ensure flooding is enabled in this phase for those traffic types.

13
Migrating a Brownfield Network to Cisco ACI

Once all (or the majority of) the workloads belonging to the IP subnet are migrated into the Cisco ACI fabric, it is then
possible to also migrate the default gateway into the Cisco ACI domain. This migration is done by turning on Cisco ACI
routing in the bridge domain and de-configuring the default gateway function on the brownfield network devices.

The following diagram shows how to enable Cisco ACI Unicast Routing.

1. Enable unicast routing.

2. Set the gateway MAC address to match the address that you previously used in the brownfield gateway.

3. Set L2 Unknown Unicast to Hardware Proxy.

4. Disable ARP flooding.

14
As shown in the previous diagram, Cisco ACI allows the administrator to statically configure the MAC address associated
to the default gateway defined for a specific bridge domain: it is therefore possible to use the same MAC address
previously used for the default gateway in the legacy network, so that the gateway move is completely seamless for the
workloads connected to the Cisco ACI fabric (that is, there is no need to refresh their ARP cache entry).

Once the migration of an application is completed, you can leverage all the flooding containment functionalities offered
by the Cisco ACI fabric. Specifically, you can set L2 Unknown Unicast to Hardware Proxy and disable ARP flooding.

Note: This is possible only if there are no workloads belonging to that specific Layer 2 broadcast domain that remain
connected to the brownfield network (that is, all the workloads, physical and virtual, have been migrated to the Cisco ACI
fabric). In real life deployments, there are often specific hosts that remain connected to the brownfield network for quite
a long time. This is usually the case for bare-metal servers, like for example Oracle RAC databases that remain
untouched until the following refresh cycle. Even in this case it may make sense to move the default gateway for those
physical servers to the Cisco ACI fabric. This method will provide the environment with a centralized point of
management for security policies, which can be applied between IP subnets; however, the flooding of traffic must remain
enabled.

Once the default gateway for different IP subnets is moved to the Cisco ACI fabric, routing communication between
workloads belonging to the migrated subnets will always occur on the Cisco ACI leaf nodes leveraging the distributed
Anycast gateway functionality.

As shown in the following diagram, this is true for workloads that are still connected to the brownfield network (routing
happens on the pair of border leaf nodes interconnecting brownfield and greenfield infrastructure). Once workloads are
migrated to the Cisco ACI fabric, traffic will be routed by leveraging the Anycast gateway functionality on the leaf node
where they are connected.

15
Migrating a Brownfield Network to Cisco ACI

Migrating the workloads and their default gateway to the Cisco ACI fabric brings advantages even when maintaining the
security policies at the IP subnet level, as it allows the Cisco ACI fabric to become the single point of security policy
enforcement between IP subnets hence providing a sort of ACL management functionality. As always, this can be
achieved following a gradual procedure: once the default gateway for the different IP subnets has been moved to the
Cisco ACI fabric, it is possible to enable full and open connectivity between endpoints connected to different EPGs (IP
EPGs (shown as follows).

With this configuration in place, every time a workload tries to communicate with a device in a different EPG (IP subnets),
a centrally managed security policy is applied to the Cisco ACI leaf node where the distributed default gateway function
ween
the devices, as shown in the following diagram.

16
As previously mentioned, because routing between different IP subnets is performed at the Cisco ACI fabric level, the
security policy can be enforced not only between hosts connected to the Cisco ACI fabric, but will also be applied to
devices connected to VLAN segments in the brownfield infrastructure.

A key advantage of the Cisco ACI centrally managed policy system is the ability to restrict communication between hosts
belonging to different IP subnets. With Cisco ACI, it is possible to restrict communication between hosts in a holistic
manner by applying a central policy from the Cisco APIC, dictating which traffic flows are allowed and to and from each
of the respective EPGs.

The data plane security policy enforcement between a pair of EPGs is shown in the following diagram.

17
Migrating a Brownfield Network to Cisco ACI

Layer 3 Routing Between Brownfield and Greenfield Networks

Even though the brownfield and greenfield networks are connected at Layer 2, there may still be IP subnets/VLANs that
are not extended to the Cisco ACI fabric. For workloads belonging to the Cisco ACI fabric to communicate with those IP
subnets, Layer 3 routing should be enabled between the Cisco ACI fabric and the brownfield network, as shown in the
following diagram:

Given that the establishment of dynamic routing peering through a vPC connection is not fully supported across different
Cisco Nexus platforms, and that it is likely that the brownfield network is already connected to the WAN using an
additional pair of Layer 3 core devices, one possible approach the approach consists in leveraging dedicated Layer 3
links connect the Cisco ACI fabric to those Layer 3 devices, as shown in the following diagram.

18
Note: Using a pair of Layer 3 links is usually sufficient, but to increase the resiliency of the solution it is also possible to
deploy a full mesh of connections between the Cisco ACI leaf nodes and the Layer 3 devices. Also, an alternative design
option could be used to connect the Cisco ACI nodes to the brownfield aggregation/spine nodes. The approach shown
above is preferred, as it simplifies the eventual migration to the Cisco ACI fabric of connectivity to the WAN.

In this scenario, the Cisco ACI fabric sees the IP subnet 10.30.30.0/24 as an external prefix reachable using an L3Out
connection established with the pair of Layer 3 devices in the brownfield network. Devices connected to the Cisco ACI
fabric, and belonging to EPG1, can benefit from the Anycast Default Gateway functionalities.

Migration of Layer 4 to Layer 7 Network Services

Cisco ACI does not offer yet the capability to integrate network service functions (like FW and SLB) between endpoints

(PBR). This implies that it is required to deploy more traditional design options to ensure traffic can be sent across a
chain of network services. The adopted solution depends on the mode of deployment of the network services:

1. Network services in transparent mode: least common model, after migrating the network services to the Cis-
co ACI fabric, the fabric performs traffic stitching across the service nodes and offers distributed default
gateway and access control services to the workloads deployed in different EPGs.
2. Network services as default gateway for the workloads: when migrating the network services to Cisco ACI,
the Cisco ACI simply offers Layer 2 services to allow workload to communicate with the gateway.
3. Network services in routed mode and stitched in the data path (“VRF sandwich”): the Cisco ACI fabric is the
default gateway for the tenant workload and the use of VRF stitching is in place to ensure traffic traverses
the various network services node.

Independently from the specific network services deployment model, the procedure to integrate those services
into the Cisco ACI fabric remains similar and leverages the fact that network services are usually deployed as a
pair of active / standby nodes. This is true regardless of whether or not the network service devices are physical
or virtual.

For example, consider the migration procedure required for the scenario where the network services are de-
ployed in routed mode and stitched in the data path by leveraging VRF stitching. Focus on a FW deployment sce-
nario, in which similar considerations apply to Server Load Balancers. In a traditional data center network design,

19
Migrating a Brownfield Network to Cisco ACI

the network services are usually connected to the devices at the Layer 2/Layer 3 demarcation line, either as phys-
ical services appliances or as services modules inserted in a service chassis, shown as follows. (This diagram
shows network services in a traditional data center design.)

As shown in the previous diagram, both North-South and East-West traffic is pushed to the network services, in
our example leveraging a VRF sandwich approach.

As mentioned in previous sections of this guide, the migration to the Cisco ACI fabric consists not only in moving
their workloads initially connected to the brownfield network, but also in relocating into the Cisco ACI fabric spe-
cific services like routing and security policy enforcement (as previously shown in this guide). The stitching of traf-
fic through the network services can also be enforced at the Cisco ACI fabric level, leveraging the same VRF
sandwich design option. The following diagram shows the VRF sandwich for network services integration.

20
From a physical perspective, it is likely that the initial Cisco ACI deployment could be built with a limited number
of Cisco ACI nodes, for then being scaled out in time, as shown in the simplified option as shown in the following
diagram.
(This is a simplified diagram for Layer 2 connectivity to Cisco ACI.)

21
Migrating a Brownfield Network to Cisco ACI

The following diagram shows an alternate view of the topology, showing the connectivity between the brown-
field network and the Cisco ACI fabric:

By comparing this diagram with the diagram showing network services in a traditional data center design, you
can understand how introducing even a small Cisco ACI fabric built with four nodes allows you to relocate and
centralize the routing, access control, and network services functionalities, which will simplify the overall man-
agement and operation of the network.

This is the case even when keeping the workloads connected to the brownfield network.
When the goal is the migration of the workloads to the Cisco ACI fabric, the end goal is to relocate not only those
workloads but also the services nodes, as shown in the following diagram. (This diagram shows the end state for
the migration of network services to the Cisco ACI fabric.)

22
The procedure for workload migration has already been discussed in the previous sections of this guide. Concern-
ing the migration of network services, it is advantageous that they are usually deployed as a pair of Ac-
tive/Standby devices. This deployment allows us to provide a seamless migration in two simple steps:

1. Disconnect the standby node from the brownfield network and connect it to a pair of Cisco ACI leaf nodes. A
vPC connection is usually leveraged for connecting the network service device to the leaf nodes and a static
mapping of local VLAN tags to the proper EPGs ensures proper communication to the network. The
keepalives between active and standby nodes can still be exchanged, either using the interconnection links
between the brownfield network and the Cisco ACI fabric, or using dedicated OOB connections. As a conse-
quence, the active service node in this phase remains connected to the brownfield network, whereas the
standby is connected to the Cisco ACI fabric. The following diagram shows the migration of the standby node
to the Cisco ACI fabric.

2. Disconnect the active node from the brownfield network. This triggers the failover event that causes the ser-
vice node connected to the Cisco ACI fabric to become active. The Cisco ACI fabric is now performing all the
routing and VRF stitching functions to ensure all the communications between EPG1 and EPG2 are enforced
using the firewall node. The disconnected node is then re-connected to the Cisco ACI fabric; the recommen-
dation is to connect it to the same pair of Cisco ACI leaf nodes where the currently active node is connected,
but there is no technical reason not to connect it to a separate pair of leaf nodes.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other
countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks
mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses
and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in
the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative
content is unintentional and coincidental.

ACIFundamentalsLabGuide2 2
No ratings yet
ACIFundamentalsLabGuide2 2
99 pages
ACI Multi-Pod: Cisco Public
No ratings yet
ACI Multi-Pod: Cisco Public
54 pages
Cisco ACI 250 Interview Questions and Answers
No ratings yet
Cisco ACI 250 Interview Questions and Answers
33 pages
Cisco ACI Course: Comprehensive Guide
No ratings yet
Cisco ACI Course: Comprehensive Guide
2 pages
ACI Multi-Pod Upgrade MOP - Adecco v.05
No ratings yet
ACI Multi-Pod Upgrade MOP - Adecco v.05
71 pages
APIC Controller Commands
100% (1)
APIC Controller Commands
3 pages
Cisco ACI Setup Guide for Admins
No ratings yet
Cisco ACI Setup Guide for Admins
82 pages
ACI Fabric Endpoint Learning
No ratings yet
ACI Fabric Endpoint Learning
68 pages
BRKACI-2291-How To Setup An ACI Multi-Site With Single POD and Multipod
No ratings yet
BRKACI-2291-How To Setup An ACI Multi-Site With Single POD and Multipod
55 pages
Cisco 7 HSRP
No ratings yet
Cisco 7 HSRP
28 pages
Cisco Nexus Dashboard Guide
No ratings yet
Cisco Nexus Dashboard Guide
130 pages
WBCCIESecV6
No ratings yet
WBCCIESecV6
286 pages
5 ACI Monitoring and Tshoot PDF
No ratings yet
5 ACI Monitoring and Tshoot PDF
82 pages
ACI VLAN Types-and-VLAN Scope
No ratings yet
ACI VLAN Types-and-VLAN Scope
7 pages
NEXUS LACP Configuration Fryguy
No ratings yet
NEXUS LACP Configuration Fryguy
14 pages
Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide
100% (1)
Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide
220 pages
Cisco ACI Multi-Pod Vs Multi-Site Detailed Comparison - IP With Ease
No ratings yet
Cisco ACI Multi-Pod Vs Multi-Site Detailed Comparison - IP With Ease
7 pages
ACI Troubleshooting Guide
No ratings yet
ACI Troubleshooting Guide
121 pages
Brkaci 2608
No ratings yet
Brkaci 2608
95 pages
BRKDCT-2642 Migration From Classic Design To ACI Fabric
No ratings yet
BRKDCT-2642 Migration From Classic Design To ACI Fabric
55 pages
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
No ratings yet
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
3 pages
ACI Multisite Deployment - BRKACI-3502
100% (1)
ACI Multisite Deployment - BRKACI-3502
76 pages
ACI White Paper Design
No ratings yet
ACI White Paper Design
155 pages
Cisco SD-Access Workbook
100% (1)
Cisco SD-Access Workbook
29 pages
Cisco APIC Install & Upgrade Guide
100% (1)
Cisco APIC Install & Upgrade Guide
13 pages
DGTL Brkaci 2934
No ratings yet
DGTL Brkaci 2934
107 pages
23.1.4 Lab - Troubleshoot IP SLA and Netflow
No ratings yet
23.1.4 Lab - Troubleshoot IP SLA and Netflow
5 pages
23 ACI T-Shoot Commands - LEARN WORK IT
No ratings yet
23 ACI T-Shoot Commands - LEARN WORK IT
7 pages
NJ SDWAN - Workbook v7.0
No ratings yet
NJ SDWAN - Workbook v7.0
35 pages
Cisco ACI Layer3 Migration Best Practices: Customer Experience, Cisco Systems G.K
No ratings yet
Cisco ACI Layer3 Migration Best Practices: Customer Experience, Cisco Systems G.K
33 pages
Lg-Dcaciv1.2 Aci v6 July 2023 - DP
No ratings yet
Lg-Dcaciv1.2 Aci v6 July 2023 - DP
453 pages
ACI Layer 3 IP Multicast White Paper c11 737592
No ratings yet
ACI Layer 3 IP Multicast White Paper c11 737592
23 pages
ACI Muti-Pod
No ratings yet
ACI Muti-Pod
59 pages
Brkccie 3351
No ratings yet
Brkccie 3351
82 pages
Data Center Interconnect
No ratings yet
Data Center Interconnect
70 pages
Brkaci 2102 PDF
No ratings yet
Brkaci 2102 PDF
142 pages
BRKACI-2003-Cisco ACI Multi-Pod Design and Deployment
No ratings yet
BRKACI-2003-Cisco ACI Multi-Pod Design and Deployment
70 pages
WLC Faq
No ratings yet
WLC Faq
21 pages
BGP EVPN+VXLAN on Cisco Nexus Guide
No ratings yet
BGP EVPN+VXLAN on Cisco Nexus Guide
18 pages
CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
100% (3)
CCNP Routing and Switching ROUTE 300-101 Official Cert Guide
189 pages
Nexus 7000 Lab Guide
0% (1)
Nexus 7000 Lab Guide
46 pages
Juniper Mist Enterprise Product Portfolio
No ratings yet
Juniper Mist Enterprise Product Portfolio
1 page
BRKACI-2102 ACI Troubleshooting PDF
No ratings yet
BRKACI-2102 ACI Troubleshooting PDF
121 pages
Teccrs 3800
No ratings yet
Teccrs 3800
431 pages
LABDCT 2001 (Guide) Nexus.7000
No ratings yet
LABDCT 2001 (Guide) Nexus.7000
44 pages
Sdwan User Guide v16 1 r2
No ratings yet
Sdwan User Guide v16 1 r2
154 pages
ACI Multipod Setup Guide
100% (1)
ACI Multipod Setup Guide
52 pages
Ine DC Lab 2 Tasks
No ratings yet
Ine DC Lab 2 Tasks
6 pages
Cisco ACI CLI Commands Cheat Sheet
No ratings yet
Cisco ACI CLI Commands Cheat Sheet
10 pages
BRKDCT-2334 Real World Data Centre Deployments and Best Practice Session
No ratings yet
BRKDCT-2334 Real World Data Centre Deployments and Best Practice Session
126 pages
BRKSEC 3432 Design
100% (1)
BRKSEC 3432 Design
230 pages
CCIE Ent v1 PDF
0% (1)
CCIE Ent v1 PDF
4 pages
Chapter 8 Implementing Tenant Policies
No ratings yet
Chapter 8 Implementing Tenant Policies
75 pages
Chapter 1 The Big Picture Why ACI
No ratings yet
Chapter 1 The Big Picture Why ACI
23 pages
ACI MultiSite Forwarding CheatSheet
No ratings yet
ACI MultiSite Forwarding CheatSheet
2 pages
DC - Phyton Script-Lab 2
No ratings yet
DC - Phyton Script-Lab 2
9 pages
Cisco Application Centric Infrastructure (ACI) Release 2.3 - Design Guide PDF
No ratings yet
Cisco Application Centric Infrastructure (ACI) Release 2.3 - Design Guide PDF
158 pages
SW Cisco Nflowcfg Clfnotes 02212013
100% (1)
SW Cisco Nflowcfg Clfnotes 02212013
9 pages
Brownfield To ACI Migration Deployment Guide: First Published: August, 2015
No ratings yet
Brownfield To ACI Migration Deployment Guide: First Published: August, 2015
22 pages
01 ACI Intro Basics
No ratings yet
01 ACI Intro Basics
87 pages
TCPIP
No ratings yet
TCPIP
6 pages
En 05 10076
No ratings yet
En 05 10076
321 pages
What's The Difference Between IP Address 0.0.0.0 A
No ratings yet
What's The Difference Between IP Address 0.0.0.0 A
4 pages
WR 6895
No ratings yet
WR 6895
173 pages
eJPT Networking & Scanning Guide
No ratings yet
eJPT Networking & Scanning Guide
51 pages
l4 FC Ec Noisy Noiseless HDLC PPP
No ratings yet
l4 FC Ec Noisy Noiseless HDLC PPP
24 pages
TC2479en-Ed18 Rainbow WebRTC Gateway With OXO Connect-OXO Connect Evolution
No ratings yet
TC2479en-Ed18 Rainbow WebRTC Gateway With OXO Connect-OXO Connect Evolution
65 pages
Mellanox SN2100 - Hardware
No ratings yet
Mellanox SN2100 - Hardware
112 pages
Networking Essentials 2.0 Module8
No ratings yet
Networking Essentials 2.0 Module8
58 pages
TS.64 v1.0 FWA Devices Architecture and Requirements
No ratings yet
TS.64 v1.0 FWA Devices Architecture and Requirements
73 pages
A Note On The Use of These PPT Slides:: Computer Networking: A Top Down Approach Featuring The Internet
100% (1)
A Note On The Use of These PPT Slides:: Computer Networking: A Top Down Approach Featuring The Internet
70 pages
BRKCRS-2810 Cisco Software-Defined Access
No ratings yet
BRKCRS-2810 Cisco Software-Defined Access
83 pages
Quectel BG95M3 Firmware Release Notes V0204 01.003.01.003
No ratings yet
Quectel BG95M3 Firmware Release Notes V0204 01.003.01.003
19 pages
Mpls Lab 2 - Mpls VRF Vpns
No ratings yet
Mpls Lab 2 - Mpls VRF Vpns
13 pages
Introduction of A Router Question and Answers
No ratings yet
Introduction of A Router Question and Answers
3 pages
Haifux Wireless Hacking
No ratings yet
Haifux Wireless Hacking
70 pages
Swe2002 Computer-Networks Eth 1.0 37 Swe2002
No ratings yet
Swe2002 Computer-Networks Eth 1.0 37 Swe2002
4 pages
GlassFish 3: HTTP to HTTPS Setup
No ratings yet
GlassFish 3: HTTP to HTTPS Setup
2 pages
Unix/Linux Shared Memory Guide
No ratings yet
Unix/Linux Shared Memory Guide
4 pages
SONET/SDH Introduction - : What Is The Difference Between SONET and SDH?
No ratings yet
SONET/SDH Introduction - : What Is The Difference Between SONET and SDH?
23 pages
Logs 07092020-CORE-NEXUS
No ratings yet
Logs 07092020-CORE-NEXUS
49 pages
Ceragon's Network Solutions Guide
No ratings yet
Ceragon's Network Solutions Guide
25 pages
Configure TP-Link TD-W8968 for BSNL/MTNL
No ratings yet
Configure TP-Link TD-W8968 for BSNL/MTNL
21 pages
5.3.1.1 OSPF Troubleshooting Mastery Instructions IG PDF
No ratings yet
5.3.1.1 OSPF Troubleshooting Mastery Instructions IG PDF
3 pages
Global MPLS Design Using Carrier Supporting Carrier
No ratings yet
Global MPLS Design Using Carrier Supporting Carrier
86 pages
Cisco: Questions & Answers (Retail Version - Full Questions Set)
No ratings yet
Cisco: Questions & Answers (Retail Version - Full Questions Set)
27 pages
Netscaler Data Sheet
No ratings yet
Netscaler Data Sheet
11 pages
A10 4.1.1-P11 DCFW
100% (1)
A10 4.1.1-P11 DCFW
142 pages
Destination Sequenced Distance Vector Routing
No ratings yet
Destination Sequenced Distance Vector Routing
3 pages
Subject - Computer Networks
No ratings yet
Subject - Computer Networks
3 pages

Network-Centric Migration To Cisco ACI

Uploaded by

Network-Centric Migration To Cisco ACI

Uploaded by

Migrating Existing Networks to

Cisco Systems, Inc. www.cisco.com

Migrating a Brownfield Network to Cisco ACI

Layer 2 Connectivity with VLAN to EPG Static Mapping

Scenario 1: 1:1 Mapping between Brownfield VLANs and EPGs

Scenario 2: Mapping a Brownfield VLAN to Different EPGs

Virtual Workloads Migration Considerations

The migration procedure in this case must be modified as follows:

Default Gateway Migration Considerations

1. Enable unicast routing.

3. Set L2 Unknown Unicast to Hardware Proxy.

4. Disable ARP flooding.

Layer 3 Routing Between Brownfield and Greenfield Networks

Migration of Layer 4 to Layer 7 Network Services

© 2023 Cisco Systems, Inc. All rights reserved.

You might also like